Re: Digging into a problem

Tue, 03 Jul 2012 10:57:03 -0700 

On 03/07/2012 00:11, Matthias Wimmer wrote:

Hi Alexey,


Alexey Melnikov schrieb am 2012-07-02 11:33:20:

I am currently digging into a problem I have with cyrus sasl since I
upgraded from Ubuntu 11.10 to 12.04.

Which version of SASL is used by Ubuntu 12.04?

Ubuntu 12.04 has Cyrus SASL 2.1.25 - and it seems the same packages are
used as currently in Debian testing.

Ok, this is fairly recent.

I should have also asked for the Cyrus SASL version used by Ubunto 11.10.
I need to check what has changed between these 2 versions of Cyrus SASL in order to have any meaningful theory. 
What does your program do (or more specifically, how does it use
libsasl)? In general, SASL plugins like DIGEST-MD5 can request both
cleartext attribute (userPassword) and a non cleartext one, but
should work if either one of them is present. Hopefully the same
applies to your program.

At the start:

sasl_server_init(<list of callbacks>, "jadc2s")
=>  I get SASL_OK

my list of callbacks has three elements:
- SASL_CB_CANON_USER
- SASL_CB_PROXY_POLICY
- SASL_CB_LIST_END


/usr/lib/sasl2/jadc2s.conf contains:

log_level: 7
mech_list: DIGEST-MD5

sql_engine: pgsql
sql_hostnames: breg.amessage.eu
sql_user: sasl
sql_passwd: XXXXXXXX
sql_database: sasl
sql_select: SELECT password FROM system_users WHERE username='%u' AND realm='%r'

the last line had been:

sql_select: SELECT password FROM system_users WHERE '%p'='userPassword' AND 
username='%u' AND realm='%r'


For any connection, I set:

sasl_server_new("xmpp",<default domain of server>,<default domain of 
server>,<ip>,<ip>, NULL, 0,&sasl_conn);
sasl_setprop(..., SASL_SEC_PROPS, ...);
        min_ssf:        0
        max_ssf:        -1
        maxbufsize:     1024
        property_names: NULL
        property_values:NULL
        security_flags: SASL_SEC_NOANONYMOUS
sasl_setprop(..., SASL_DEFUSERREALM,<domain of the client>);
sasl_setprop(..., SASL_SSF_EXTERNAL,<value from GnuTLS>);

I request:

sasl_listmech(...)

Authentication is done using (client can send initial data):

sasl_server_start(...)
sasl_server_step(...)

After authentication I would do:

sasl_getprop(..., SASL_MAXOUTBUF, ...);
sasl_getprop(..., SASL_USERNAME, ...);



Instead
it tries to read /etc/sasldb2 (which is not used in my setup).

You have SASLDB auxprop plugin installed and enabled. If you don't
want to use it, you should disable it.

that's "auxprop_plugin: sql", right?

Yes.

Reply via email to